[c-nsp] IDSM-2 Module VS. TippingPoint VS. Other IDS solutions

Justin Shore justin at justinshore.com
Sun Sep 6 11:00:52 EDT 2009 

Drew Weaver wrote:
> Does anyone have any real world experience working with the IDSM-2 modules for the 6500 platform?
> 
> I am specifically trying to find people whom have used both the IDSM-2 vs. TippingPoint and even Vs other IDS products...
> 
> Any off-list or on-list anecdotes or opinions is highly appreciated.

I do have 1 tidbit to share.  First an explanation for those that don't 
know and the list archives.  IDSM2 modules have 2 operating modes. 
Inline and passive.  Inline is where you funnel traffic through them by 
mapping 2 VLANs to them for the inside and outside, sort of like the 
FWSM (BTW, like the FWSM the IDSM2 is not VRF-aware; using the VLANs is 
the solution for both LCs).  Passive is where you simply use an internal 
port span to get interesting traffic over to one of the IDSM2's internal 
ports.  IDMS2s ONLY operate in passive mode on 7600s or any other 
devices running SR.  Inline does not work.  If you happen running the 
older SR code that works on both 6500 and 7600s then you SOL.

We bought them IDMS2s and 7600s right in them middle of the BU split. 
Roughly 2.5 years later we're still waiting to get Cisco to take them 
back (trying to trade for a MARS appliance so it's still a sale for 
Cisco).  We've never used them, never been able to.  The product didn't 
work as advertised.  It was a Cisco Advanced Services SME that actually 
discovered the problem for us.  He found the problem acknowledged on an 
internal Cisco mailing list.  Nothing public has ever been said about it 
to the best of my knowledge.

Even if the IDMS2 actually worked in my 7600s I would still recommend a 
different solution.  It can only do 4 contexts.  That's not very much in 
the grand scheme of things.  That's not very much throughput for a 40G 
slot or even a 20G slot.  In fact I think it's like the FWSM2 and tops 
out at 6G.  Given the sheer expense of each context, that's not exactly 
something we can sell to our customers as an upsell service.  Personally 
I would recommend an appliance solution instead of a LC.  One of Cisco's 
appliance based solutions would be fine and cost less.  Cisco seems to 
be driving that way.  They EoLed the Anomaly Detector/Guard LCs for the 
7600s in favor of the appliance version.  I'm sure it's less expensive 
to produce, requires less interopt with other BUs and can be useful to 
other customers that don't have/need the larger chassis in that form factor.

My $.02
  Justin

More information about the cisco-nsp mailing list